Antiphishing false positives

Versions / Builds Affected

20.3

Status

Resolved

Problem Summary

There are Antiphishing false positives and customer is not willing to use the Whitelist as a workaround.

TT / JIRAID

GFIME-2704

How to Identify

Customer informs there are false positives for Antiphishing, such as Amazon: 2017-05-31,11:31:56,154,1,"#0000267c","#00008ef4","info ","ase_purbl","Checking URL [https://s3.amazonaws.com/flashissue/gHd2XoyiQbKBqljm7bzg]" 2017-05-31,11:31:56,154,1,"#0000267c","#00008ef4","info ","ase_purbl","[https://s3.amazonaws.com/flashissue/gHd2XoyiQbKBqljm7bzg] [209874] hpts: 3 pats: 53" 2017-05-31,11:31:56,154,1,"#0000267c","#00008ef4","info ","ase_purbl",">> spammy: [https://s3.amazonaws.com/flashissue/gHd2XoyiQbKBqljm7bzg]"

Workaround / Fix Details

The following patch and procedure should resolved this issue: 1. Download the following files: http://psg.gfi.com/ME/Temp/PURBL.DLL http://cdnupdate.gfi.com/ap/current_revision.zip 2. Right-click the zip file and choose Properties. From the General tab, click Unblock and then Apply. 3. Uncompress current_revision.zip to retrieve the file inside (current_revision) 4. Stop Microsoft Exchange Transport and GFI MailEssentials AS Scan Engine services. 5. Back-up \GFI\MailEssentials\Antispam\purbl.dll to purbl.dll.old and replace it with the attached DLL. 6. Back-up \GFI\MailEssentials\Antispam\Data\blocklist.db to blocklist.db.old and move current_revision from step 2 to this location. 7. Rename the file moved to blocklist.db (at the end, you should have blocklist.db.old (old blocklist.db) and blocklist.db (old current_revision) in \GFI\MailEssentials\Antispam\Data. 8. Start GFI MailEssentials AS Scan Engine and Microsoft Exchange Transport. Note: is usually C:\ProgramFiles (x86)\

Required Actions

The procedure above downloads a fresh set of updates for the Antiphishing database. Alternatively please provide the Level 3 engineers with the False Positive email sample and logs to submit to the vendor (Netcraft).